CVE-2021-24544

CVE-2021-24544: Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting

Vendor Unknown
Product Responsive WordPress Slider
Weakness CWE-79 · XSS
Published October 25, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.

Key dates

02Disclosure timeline

October 25, 2021 CVE published
August 3, 2024 Record updated